Nelson B Bolyard wrote:
I think this may only be true because of the involvement of PKCS5v2. If PKCS5v2 was not part of the problem space, I would have said that there was no need to use OIDs at all, none whatsoever. I would have said that PK11_ interfaces exist that can do everything you need with just mechanisms, and no OIDs.The SSL library, for example, manages to use many forms of encryption without ever identifying any of them with an OID. If I recall correctly, so does the SDR interface which is used to encrypt and decrypt users' web site passwords that are remembered by Firefox. I would have recommended that you look at the SDR interface as an example of how to do what you wanted to do, simple encryption of a string with an algorithm of your choice and an arbitrary key. But SDR doesn't use PBE and hence doesn't use PKCS#5.
The OpenSSL docs said "Newer applications should use more standard algorithms such as PKCS#5 v2.0 for key derivation", and as this was new code, and as interoperability was important, I decided to follow the advice as it seemed sensible. I did see that the PKCS5v2 function has only been available since v3.12, which is relatively new.
So far 3DES/CBC and AES256/CBC interoperate between OpenSSL and NSS without an issue, which I think is "good enough" for now for what we need it for.
Regards, Graham --
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
